Chilkat HOME .NET Core C# Android™ AutoIt C C# C++ Chilkat2-Python CkPython Classic ASP DataFlex Delphi ActiveX Delphi DLL Go Java Lianja Mono C# Node.js Objective-C PHP ActiveX PHP Extension Perl PowerBuilder PowerShell PureBasic Ruby SQL Server Swift 2 Swift 3,4,5... Tcl Unicode C Unicode C++ VB.NET VBScript Visual Basic 6.0 Visual FoxPro Xojo Plugin
(Tcl) Rewrite PFX using AES256-SHA256Demonstrates how to load a .pfx/.p12, examine the encryption algorithm used, and rewrite using aes256-sha256. Note: This example requires Chilkat v9.5.0.83 or greater.
load ./chilkat.dll # This example requires Chilkat v9.5.0.83 or greater. set pfx [new_CkPfx] # Let's load a .pfx and examine the encryption algorithms used to protect the private key: set success [CkPfx_LoadPfxFile $pfx "qa_data/pfx/test_secret.pfx" "secret"] if {$success == 0} then { puts [CkPfx_lastErrorText $pfx] delete_CkPfx $pfx exit } # Examine the algorithms: # "pbeWithSHAAnd3_KeyTripleDES_CBC" or "pbes2"? puts "Algorithm: [CkPfx_algorithmId $pfx]" # If the algorithm is "pbes2" then examine the actual encryption and HMAC algorithms used within pbes2. # (If the algorithm is NOT "pbes2", then the following properties are meaningless and will not be modified from their previous values prior to loading the PFX.) puts "Pbes2CryptAlg: [CkPfx_pbes2CryptAlg $pfx]" puts "Pbes2HmacAlg: [CkPfx_pbes2HmacAlg $pfx]" # Our output so far: # Algorithm: pbeWithSHAAnd3_KeyTripleDES_CBC # Pbes2CryptAlg: aes256-cbc # Pbes2HmacAlg: hmacWithSha256 # This tells us that the PFX we loaded was protected using triple-DES with SHA1. # (Most existing .pfx/.p12 files use 3DES w/ SHA1.) # The Pbes2CryptAlg and Pbes2HmacAlg properties do not apply here because the AlgorithmId is not equal to "pbes2". We can ignore those values. # Examine the LastJsonData for the call to LoadPfxFile. This gives us information about what is contained in the PFX, including extended attributes. # json is a CkJsonObject set json [CkPfx_LastJsonData $pfx] CkJsonObject_put_EmitCompact $json 0 puts [CkJsonObject_emit $json] delete_CkJsonObject $json # Here's a sample LastJsonData: # Use this online tool to generate parsing code from sample JSON: # Generate Parsing Code from JSON # { # "authenticatedSafe": { # "contentInfo": [ # { # "type": "Data", # "safeBag": [ # { # "type": "pkcs8ShroudedKeyBag", # "attrs": { # "localKeyId": "16444216", # "keyContainerName": "{F09B755A-1E90-444D-9851-02B86CA14961}", # "msStorageProvider": "Microsoft Enhanced Cryptographic Provider v1.0" # } # } # ] # }, # { # "type": "EncryptedData", # "safeBag": [ # { # "type": "certBag", # "attrs": { # "localKeyId": "16444216" # }, # "subject": "....", # "serialNumber": "9999999999999999999999999999" # }, # { # "type": "certBag", # "attrs": { # "authRootSha256Hash": "0vkOXTXKxNQffUTOZq/4heGBX7M5GFhTqH5mwFyb7x4=", # "friendlyName": "XYZ", # "enhKeyUsage": [ # { # "oid": "1.3.6.1.5.5.7.3.2", # "usage": "clientAuth" # }, # { # "oid": "1.3.6.1.5.5.7.3.4", # "usage": "emailProtection" # }, # { # "oid": "1.3.6.1.5.5.7.3.3", # "usage": "codeSigning" # }, # { # "oid": "1.3.6.1.5.5.7.3.8", # "usage": "timeStamping" # }, # { # "oid": "1.3.6.1.4.1.311.10.3.4", # "usage": "encryptedFileSystem" # }, # { # "oid": "1.3.6.1.5.5.8.2.2", # "usage": "iKEIntermediate" # }, # # { # "oid": "1.3.6.1.5.5.7.3.6", # "usage": "ipsecTunnel" # }, # { # "oid": "1.3.6.1.5.5.7.3.7", # "usage": "ipsecUser" # }, # { # "oid": "1.3.6.1.5.5.7.3.5", # "usage": "ipsecEndSystem" # } # ] # }, # "subject": "...", # "serialNumber": "8888888888888888888888888888" # }, # { # "type": "certBag", # "subject": "...", # "serialNumber": "777777777777777777777777777" # } # ] # } # ] # } # } # ------------------------------------------------------------------------------------------ # OK... now let's change the AlgorithmId to "pbes2" CkPfx_put_AlgorithmId $pfx "pbes2" # We already know from above that the PBES2 crypt and HMAC algorithms are "aes256-cbc" and "hmacWithSha256". # Let's set them anyway just for the example... CkPfx_put_Pbes2CryptAlg $pfx "aes256-cbc" CkPfx_put_Pbes2HmacAlg $pfx "hmacWithSha256" # Rewrite the PFX using pbes2/aes256 + sha256 set success [CkPfx_ToFile $pfx "secret" "qa_output/test_secret_aes256.pfx"] if {$success == 0} then { puts [CkPfx_lastErrorText $pfx] delete_CkPfx $pfx exit } puts "Success." delete_CkPfx $pfx |
© 2000-2024 Chilkat Software, Inc. All Rights Reserved.